Posted
by
Hemos
on Thursday September 20, 2001 @02:06PM
from the what-goes-into-it dept.

frantzdb writes "We've been hearing about adding crypto back doors for the govement to snoop on us, but how would they work? Would there be one key that could be cracked opening up all such traffic? Also, how would/does the government know wether a bitstream is random bits, or encrypted data?"

The problem with weakening crypto is that anybody
may be able to recover the keys, not just the
folks that mandated the back door. Also, there
are long term issues with this. What if a trusted
party today becomes an untrusted party in the
future? What do we do when the current threat is
over? What if the bad guys figure out the backdoor? Would you have worse problems from them
than you have now with the folks blowing things up? What if the US government gets weird and
refused to give up the back door once the crisis
is over?

And finally: What about the huge delpoyed base of strong crypto?

One more finally: Little evidence has been given
that strong crypto is being used today as a shield
for the communications with this group. Why should we give up our rights based only on the
say so of the Government, one that has lied to
us in the past?

What if the US government gets weird and refused to give up the back door once the crisis is over?

"What if"? Why would they?

Why would they give up such a valuable advantage in the fight against <insert current object of villification>? Terrorists, drug smugglers/dealers, criminals, communisits, dissidents - all have had war declared on them at some point, by some country or other, and all could benefit from the unrestricted use of strong crypto.

Even if the war against terrorism is won, this legislation would stay in place, to aid the war against the next great evil.

What if a trusted party today becomes an untrusted party in the future?

That's exactly the problem I have with this, and all privacy-limiting developments. Here in the UK, as I'm sure you're aware, we have more than our fair share of CCTV cameras on the streets. Every argument in favour of them seems to revolve around the same core assumptions:

1) They help cut crime, thus making everyone safer
2) You can trust the Police and the Government

I have to agree, up to a point. They do cut crime, at least in the covered areas, and I can trust the police and government, now. How do I know I'll still be able to trust them in 20 years time?

I don't. I just have to hope that I will be able to, because the way things are going, if I can't, I'm going to be in serious trouble. The same is true in this case - if legislation like this is passed now, it makes a future rogue government's job all the easier.

What about the huge delpoyed base of strong crypto?

That's easy. It would become illegal to use it.

If the agency monitoring communications (NSA, MI5, KGB, whoever wherever you are) acquired a message that they could not read, you'd be arrested, and ordered to decrypt it. (There is already provision for pretty much this to happen in UK law, thanks to the Regulation of Investigatory Powers Bill)

At best, on proving that it's an innocent message, you'd get a slapped wrist and threats of bad things happening if you continued to use strong crypto. At worst, you'd do time just for using crypto they couldn't break.

Even if they *did* work, what's the purpose? To keep tabs terrorists? Bwahaha. Bin Laden is already one step ahead in the high-tech race. He <gasp!>
turned off [theregister.co.uk] his cellphone, ditched the e-mail account and he's now communicating through human messengers!.

Crypto backdoors... Carnivore... Echelon... what a load of absolute crap.

The reason they are placing these backdoors is to stop terrorism and other crimes from occuring... now I don't know about you, but if I was to fly a plane into a large building I would be sure as hell to use my own crypto not some algorithm with a backdoor from the government. I mean please, people like bin laden have billions of dollars you don't think they could get a kid to code something for them? All this is going to do is make the government get on the backs of innocent people using "illegal" crypto.

In addition, if the remote control features of the planes that they are talking about today were also in place and used legal cryptography, then if I were a terrorist, I would not even have to hijack the plane, if I obtained one of the master keys! This backdoor idea is about the least intelligent thing I have ever heard.

An alternative to direct key escrow is the system used by Lotus Notes for their export versions a while back. Known as a "Work Factor Reduction Field", it's some fractional part of the key (Lotus used 24 of the 64 bits in their keys), encrypted with a system-wide key (usually half of an asymmetric key pair) and included in the transmission.

The problem here is that this system-wide key now becomes the sweet one-stop-shopping target for crackers that the whole escrow system seeks to avoid.

> An alternative to direct key escrow is the system used by Lotus Notes for their export versions a while back.
Known as a "Work Factor Reduction Field"

And how many billions of dollars would US businesses lose when their "secure" communications were cracked, not by NSA, but by foreign competitors?

Bin Laden may have made hundreds of millions of dollars by buying put options in airline and reinsurance companies two weeks ago.

Do we really want to give him and his associates access to that kind of money with the touch of a keyboard?

Do we really want to find out what our enemies could do with that kind of money if he could operate underneath the radar, possibly making several such transactions, over the course of ten years?

NSA isn't the only bunch of folks with access to supercomputers.

#include <beowulf_joke.h>/* ha ha, only serious/*

If anything can be cracked, it will be. Our financial system relies on the security and integrity of businesses' ability to communicate.

Just as the enemy can engage in asymmetrical warfare on the physical battlefield (lobbing 767s into our physical infrastructure, where we can't bomb Afghanistan to the Stone Age 'cuz the Russians beat us to it), they can also engage in asymmetrical warfare in the infosphere (destabilization through insertion of false transactions into our financial systems, a task greatly simplified through a reduction in cryptographic strength -- again choosing to fight where they have no comparable financial infrastructure that we can target in return).

If NSA still has any pull with Congress, I hope they'll be able to nip this one in the bud. I'd even go so far as to suggest that the second part of their mandate -- defending American communications from compromise -- obliges them to try.

>And how many billions of dollars would US businesses lose when their "secure" communications were cracked, not by NSA, but by foreign competitors?

How many dollars have non-US businesses already lost because of NSA giving information captured by Echelon to US companies? It would be hypocritical for US residents to complain of activities that they do themselves routinely.

> How many dollars have non-US businesses already lost because of NSA giving information captured by Echelon to US companies? It would be hypocritical for US residents to complain of
activities that they do themselves routinely.

Absolutely correct...

...which makes it all the more suicidal for us to knowingly re-expose ourselves to that risk (remember, the French did it to us too on behalf of one of their companies;-) while other countries' corporate transmissions remain secure.

From an export point of view, strong encryption is considered "arms". Last time I checked the constituion, we have the right to bear arms and that right cannot be infringed. Perhaps we need some help from the NRA???;)

In the spirit of free-as-in-chaos, I have instituted my own private moderation system. Under this system, I hereby give you +1 Hackish. If more people thought like this the world would be a much better place (IMHO).

I certainly hope not... My guess is that upon generating a key, a seperate key is also generated. This key (the other half of which the NSA has) could be used to encrypt the original sender's private key. This would allow the NSA (I don't know which tla will hold the keys, just substitute your favorite one in here...) to be able to retrieve the private key and decrypt the transmission... This is pure speculation...

That law is called obstruction of justice. If you have a key, it can be subpoena'd at any time, if they can prove to a judge that your encrypted data may include things necessary to procede with a trial. If you don't hand it over, or conveniently "lose" your copy, you get hit with obstruction of justice and you look like an incompetant fool who can't even keep track of his own crypto keys.

I doubt that there is a 5th amendment issue here. Consider that there is no 5th amendment issue with taking fingerprints, court ordered blood tests in criminal cases, and required breathalyzer tests in suspected drunk driving cases, among other things. The 5th amendment protection, "nor shall [he] be compelled in any criminal case to be a witness against himself", has generally been very narrowly construed by courts, if I remember correctly, to be just that - they can't force you onto the stand in a criminal case against you; even then, once you have chosen to take the stand, you CAN in fact be forced to give testimony that is not in your favor. (IANAL and all that, but I do remember some of the things that I learned in civics classes:-)

A lot of the technology behind the last time congress/the prez tried to cram crypto backdoors down our throat [eff.org] is unfortunately classified, but the basic way it would work is that each key would have its own identifier it shouts out in the process of sending packets back and forth. Upon court order (or not, if there are crooked lawmen), the mandatory escrow part, which is how most what modern crypto backdoor setups work, is used to get the private key and decrypt the message.

Steven Levy's excellent book "Crypto", which was reviewed here a few months back has the basic gist of the technology. As the technology is mired in classified work and patents, it's a minefield that will have to be carefully traversed

The Government tried to implement Key Escrow A while ago.
Basically. When you generate your keys you must submit the key to the governement so they have a copy. Its kind of like your landlord.

You have a key for your apartment. So does he. If you get locked out he can come on in and let you back in. If you're growing a Pot Farm he can give it to the feds when they have the search warrant and let them in with out bustin no doors down.

Implementing a mechanical backdoor other than key escrow would suck. Short of the US Governement getting hacked your keys should be safe with them (unless of course you believe the US Governement's sole purpose in life is to get you) If you implement a mechanical back door just wait until it gets reverese engineered. All hell will break loose.

If Backdoors are implemented. Im a fan of Key Escrow.

However whats to stop a terrorist for writing their own version of a public cryptosystem such as RSA and not give anyone keys? Guess there will also have to be a law that says if your key isn't registerd and your communicating with it then the governement can arrest you.

You could use the government's public key to encrypt your private key, sort of like a registering your car, you would have to register your key. The problem is that you could send them any old crap and say it was your key. The only way they would know is if they tested it by decrypting a message.

This is all beside the point, because terrorists won't register their keys. If the US government can't stop spam, what makes them think they can stop encrypted messages?

Crypto backdoors sound good, but in reality they won't help at all. The biggest part of the problem, as you pointed out, is just figuring out what is encrypted and what isn't. According to this article [yahoo.com], the hijackers were sending each other unecrypted emails. If they couldn't even intercept unencrypted messages, how do they think backdoors will help?

One basic assumption of crypto backdoors is that people will actually use crypto that has the backdoor capability. Its like trying to limit encryption to 128 bits or 4096 bits or whatever it is these days. You can just write your own encryption program (or download & hack the source to some existing program) and create 65536 bit encryption if you want. Sure, its illegal, but if you don't want the feds to find out about your nefarious plans, so what?

Believe me, we can expect a lot more stupid, reactionary legislation in the coming weeks & months (am I the only one who doesn't feel any safer knowing that the guy on the plane next to me doesn't have his Bic disposable razors????). Thank god we haven't locked up all the Arab-Americans because they could be terrorists...

Even more fundamental and larger is figuring out what is interesting and what isn't. The unencrypted emails you mention were probably exchanging flight info, planning when they wanted to fly, where they should go, where they would come form, and so forth. Reading the email in advance probably wouldn't give anything away to someone not part of the group-- it would be profoundly stupid for them to read email that could incriminate them in a public library, where, even if it weren't examined by the FBI, someone waiting for the computer could simply happen to look over their shoulder.

It's an essentially unbreakable end-to-end chaffing system: only say things that are just like what anyone would say if they were doing ordinary things, but have some shared understanding that only the people involved know about (like, when we're all on planes at the same time, we'll hijack them).

...I wonder how feasible it would be to modify a cryptosystem so that when the government used their backdoor, the message decrypted into some aribtrary text chosen by the individual, but when decrypted through the proper channels, the message is the intended one...

Unfortunately, this involves solving simultaneous number-theory equations, multiple equations of the sort that would be necessary to break the code algorithmically in the first place by calculating private keys from public keys. If it is computationally infeasible to do that, what you suggest is far harder!

For one, the government would most likely be going after the manufacturers of encryption software instead of the users of encryption software.

Which means the law will be useless because encryption is already out.

The backdoor will probably be in the form of a key or a series of keys that one or more entities has. To make it seem better, multiple authorities will have portions of the key, so that you can't just grab one repository.

You can do statistical analysises and generally figure out if something has a likelyhood of being encrypted. It's a cold-war technology that probably got much usage back then. But it's not the kind of thing you could deploy across the entire network.

Now, I'm not a privacy whacko. I don't encrypt my hard drive. I'm not anti-government. I'm generally pretty pragmatic. But even I don't think that we should have backdoors on encryption software. Does the government have backdoors on our safes? Do the cops have a key to my appartment's door?

"Does the government have backdoors on our safes? Do the cops have a key to my appartment's door?"

They have oxyacetylene torches for your safe, and a battering ram for your door. This is why they are considering the legislation: there is no way of realiably cracking properly-done strong crypto in a reasonable amount of time (less than billions of years.) You can't force your way to a key, or buy it, like you can force a door or buy a better torch to get into safes faster.

The feds had Mitnick's laptop(?) for five years and made no progress in breaking the encryption he used...

What's different about encryption is that even if they do get a warrant to look at the data contained in an encrypted file, they can't break the encryption with current technology (at least in a reasonable timeframe).

50% of the time if they broke in the key would be right there unencrypted on the computer. 45% of the time the key would be protected by an easy to crack password. The other 5% of the time the police could plant a key capture device and get the password.

Key escrow is much much worse than the government having a key to your apartment. It is equivalent to having a ban on possessing private thoughts. Consider a simple encryption scheme which could be done in your head. This plan would make it illegal to memorize a number without telling it to the government. It's that scary.

This will only stop the unsophisticated users. While the government is backdooring into some 1337 h4x0r script kiddies' communications, terrorists cells will be communicating through steganographic messages with non-government-approved encryption on the local pr0n site.

There is no easy answer to this question. It certainly depends on the alogorithms used. It depends on who implemented it, tamperfree devices, and much more. Here are a couple of links that might give the interested reader some points to start:

The simple reason is that as long as there is an algorithm that cannot be penetrated, either by force or by escrow, that algorithm can hide data. On this, at least, the cat is out of the bag.

One of the more likely scenarios which could possibly keep criminals away from data while allowing governments to have access would be an agreement worldwide on a data-encryption standard that included key-escrow. Likely this would be implemented with a large database of registered keys rather than a "skeleton key" approach simply because the "skeleton key" would be a ridiculously easy target. Of course, this whole scenario cannot work for catching dissidents and criminals, and therefore cannot serve the purpose of fighting terrorists.

The reason is that under any reasonable key-escrow scheme a government would be required to show evidence before using the person's key to find the data. This works fine for average citizens who only use the mandated encryption standard, but, Surprise! When the government uses the key of terrorist Tim to decode his messages, they find that not only did he use the mandated scheme, but he also encrypted his data with his own scheme, which, of course, is unbreakable with current technology. Terrorist Tim wins in two ways here, not only did his data remain secure, but he also managed to waste a large amount of the government's time and resources.

The fact that this is even being proposed shows the ignorance of technology rampant in Congress. I live in NH, maybe I'll write a letter to Senator Gregg.

The reason is that under any reasonable key-escrow scheme a government would be required to show evidence before using the person's key to find the data.

But if you remember, the biggest issue in the Clipper Chip deal was that they changed the wording that created the "Fruit of the poison tree" doctrine that currently keeps illegally acquired evidence out of the courtroom. They might try to do away with the evidence requirement.

Of course, that depends on what the real purpose is. The purpose might be to create lawbreakers.

"There's no way to rule innocent men. The only power any government
has is the power to crack down on criminals. Well, when there aren't
enough criminals, one makes them. One declares so many things to be
a crime that it becomes impossible to live without breaking laws."
-- Ayn Rand, "Atlas Shrugged"

I've been formulating a "conspiracy" theory with speed limits that is similar to this argument. The idea is that you make the speed limit so ridiculously low that everyone goes much much faster than posted, and thereby generate revenue for the city or town in speeding tickets.

- write message
- apply method of Chaffing and Winnowing (above) or method of hiding messages in spam [spammimic.com].
- hide that message in favorite media with outguess [outguess.org].
- encrypt that with PGP [pgpi.com] or GnuPG [gnupg.org].
- encrypt that with the mandated, key-esrowed, back-doored technique
Now there are several barriers to break down, but only the easy one is known about until an investigation is already under way.

Or:
- said terrorist could avoid electronic communications, and meet face to face in a public park or on a public bus or in a crowd

Ask a gardener how they deal with weeds. Do you just remove what you can see, or do you go after the roots? Ask a doctor how he/she deals with a disease. Does he/she treat the symptoms and hope for the best over time, or does he/she treat the source of the disease?

Yes, cutting off one of their means of communication would be an incovenience for people who have evil plans. But is there a better we that we can deal with their evil plans in the first place?

That chaffing and winnowing article is the coolest thing I have read in a long time. I'm not joking. Everyone here would probably enjoy it. It discusses not only technical issues, but their legal and social consequences.

[Last
time [slashdot.org] I wrote this, it was Flamebait, so I'll try to be more careful.]

Yes, it is generally agreed that modern encryption algorithms can hide data
with virtually perfect security. But this alone is not relevant, as long as
the government can detect the use of these algorithms.

All the government has to do to nail your "Terrorist Tim" is observe that he
is using encryption, and check for the existance of a matching escrowed key.
Presumably, any key escrow system would allow for verification that a
message was encrypted using an escrowed key, without actually retrieving the
key or decrypting the message. Thus, it is entirely conceivable to me that
the government could enforce the use of key escrow: Whenever they see
encrypted traffic that does not use an escrowed key, they trace the user via
the ISP and prosecute him. And maybe they drop the connection, so you can't
even get one message through then hide.

So, anyone who wants Internet privacy under this regime must hide the fact
that they are hiding data. But, you say, there's a whole field dedicated to
this end, called steganography, so the goverment loses again. While
steganography is exciting and promising, it's not the knock-down argument
that you seem to think.

First, I agree that it is easy to covertly communicate a small amount of
information to someone with whom you have prepared ahead of time. Any
simple system of code words or similar is probably secure for a brief
message or two. But,...

People need to communicate more than a few messages on a predetermined
subject. A naive system will not stand up to statistical analysis of many
messages. For example, you might think that coding messages in the first
characters of each word would be undetectable. Hardly--just look for
anomalies in the letter frequencies of the first letters.

People need to communicate without having arranged a system beforehand.
Even serious steganography (at least the systems I know about and can
imagine) requires a shared secret, implying major challenges in key
exchange. In the age of public keys (now the lynchpin of virtually all
secure communication), we forget about what an enormous breakthrough
asymmetric cryptography was.

Even serious steganography may be detectable [outguess.org]! Just as the
government can monitor for non-escrowed keys, they can monitor for any
steganography system that they have broken. It is currently not known
whether undetectable steganography can be developed.

Steganography does not have the infrastructure, either in software or in
familiarity and understanding, that encryption has. We all know that
quality of implementation and good practices are as important as
mathematical strength in the successful use of cryptography. Thus, people
need to have software they can use and an understanding of do's and don't's.
At least, it will take some time before steganography reaches the level of
encryption in these regards.

(In the above, you may substitute "terrorists" for "people".)

The point: not that the government should or will do this; but that if they
decide to do it, it is not futile! It really could (in addition to destroying the privacy of lawful citizens) slow down terrorist
communications (assuming that terrorists use the Internet, which people seem
to think they do). So we need a better argument against it than "this is
stupid, it can't work".

Presumably, any key escrow system would allow for verification that a message was encrypted using an escrowed key, without actually retrieving the key or decrypting the message

Just re-encrypt the illegally encrypted data. No way to find out that the contents are unreadable without actually decrypting it. Thus the only way to spot verbotten encryption is to decrypt everything.

Oops, you're right. So the situation isn't quite as bad as I thought (since routine decryption would be a hard sell for the government).

Actually, it could work, assuming that it's only
used after a warrant has been acquired. The feds
get the warrant, try to decrypt the info, and
can't. Or they decrypt it, and find antoher layer
of encryption underneath. Then they can charge
the terrorists with use of illegal encryption and
send them to jail for a few years.

Whups, you guys just destroyed the key when you seized Tim's box. He has forgotten his password. He is a member of a terrorist organization who is willing to die (or go to prison) for his beliefs.

The purpose of gathering intelligence is not always to convict a criminal, often it's to get his compatriots or to leave open an intelligence channel that can be exploited at a later time.

Making it illegal to encrypt your data with unbreakable methods is something not very likely to happen. Holding someone in contempt of court for not supplying the key for evidence is much more likely. This doesn't help when you are intelligence gathering, though, as I have previously stated.

You must really think that terrorists are stupid. It would be a trivial matter for the terrorist to encrypt their information with real encryption (say GPG), and then encrypt it with the government sponsored fake encryption. The message would look like any other encrypted message, but the government still wouldn't be able to read it.

This also assumes that the terrorists aren't using stenography of some sort to hide their messages in pictures.

In other words the government's ant-crypto plan would only work against everyday, standard, run-of-the-mill, law-abiding, citizens. There is no way that key-escrow, crypto backdoors or any such measure is likely to work against terrorists. Unless, of course, the terrorists were blatant amateurs or idiots (in which case you could probably catch them without crypto back doors). The question then becomes. Why is the government so interested in spying on normal citizens? They know that the terrorists have crypto that they can't break; they likewise know that these terrorists are not likely to give up the use of this crypto.

My guess, because I am not overly paranoid, is that they are simply passing the law to make people feel better. Normal citizens will believe that these laws help combat terrorism, and they will sleep better (even though they are not really any safer).

It has also been shown that the U.S. does fairly extensive spying on legal (but non U.S.) corporations. Since the U.S. writes the bulk of the software used in the world, U.S. laws against strong crypto guarantee that law abiding corporations in other countries are all of a sudden vulnerable to the U.S.'s prying eyes. Since this type of activity is probably good for the U.S. economy, I would say that it is a bonus.

My European friends, on the other hand, would probably disagree. That is likely the reason that the German government is paying for the development of GPG.

Most commercial crypto research is currently being done outside the U.S. because of the U.S.'s past beliefs about exporting crypto. All such a law would do is guarantee that foreign nations would be first to have the advantage of new crypto research.

There is no way that "the rest of the world" is going to give up crypto research. Especially since there is no good way to make mathematics illegal. If the U.S. gives up on crypto research we will simply make way for some other country to move to the forefront.

What is more likely is that the U.S. simply wants to be able to continue to spy on non-U.S. companies that rely on U.S. software. They've done it before.

Precisely. To be honest your point is a good one, I re-read my original message and it was definitely worded too strongly. Sorry:).

And I understand what it is like conversing in a foreign language. I spent 5 years of my life in South America. Most of the time as the only Yanqui for miles and miles. It is very easy to be misunderstood in a language that isn't your native tongue, even if you are skilled in its use (which you clearly are).

Currently PGP encrypted messages stick out like a sore thumb, and so I can see why it is that you figure that PGP (or GPG) encrypted messages would be detectable from government sponsored messages. You are probably even correct. Heck, most PGP encrypted messages are ascii-armored and have a nifty header proclaiming how they were encrypted. However, terrorists would almost certainly either modify their software so that it output headers that matched the government sponsored crypto, or, even easier, they would simply re-encrypt their encrypted messages with the government sponsored tools.

The only way that the government would know the contents of your message would be to decrypt it (using precious cycles), and when they decrypted it all they would find was a GPG encrypted message!

In other words, if such a system became commonplace they would be worse off than they are now (where most email are simply plain text).

I also agree that using U.S. resources to spy for American companies is wrong. I should have used a smiley so that you would realize I was being sarcastic. Although I am a U.S. citizen until recently I worked for a non U.S. corporation.

"We've been hearing about adding crypto back doors for the govement to snoop on us, but how would they work? Would there be one key that could be cracked opening up all such traffic? Also, how would/does the government know wether a bitstream is random bits, or encrypted data?"

There is no such thing as "random bits of data" streaming through the network. All data has redundancies and self-imposed structure in order to convey information. Read Shannon for details on information theory.

Most currently available cyphers create a data stream that appears extremely randomized. This, in itself, could be a way for the government snoops to detect encryption: A sample of data that is more random than other data.

You can try the "compression test" for encryption. Try compressing some data. Check the file size. Now, encrypt the same data and run your compression program. You'll notice that the "compressed" file is the same size or larger than the original. This is because the encrypted data is "extremely randomized", and the compression program cannot find patterns in it to compress it. The snoops can use a similar test to detect encrypted data streams, i.e. over time, the probability of any character appearing is 1/n where n is the length of the alphabet (0-255 for bytes).

Steganography and hiding cyphertext in cyphertext (see Applied Cryptography) would be a good way around encryption back doors.

> You can try the "compression test" for
> encryption. Try compressing some data. Check the
> file size. Now, encrypt the same data and run
> your compression program. You'll notice that the
> "compressed" file is the same size or larger
> than the original. This is because the encrypted
> data is "extremely randomized", and the
> compression program cannot find patterns in it to
> compress it.

This is true of good random numbers, too. It's even more true of compressed data - this test will trigger on every gziped or zipped file to pass through the network. It's also trivial to use some sort of base64 (or more complex encoding that uses letters with English frequency) over your encryption to break this.

It also doesn't distinguish encryption permitted by the government, and cypto using illegal keys and methods.

This won't work, because you can have false positives and false
negatives.

The false positive case is obvious: if the data is already compressed,
it will look like it's encrypted even if it's not. So some kid downloading
Britney Spears' MP3s gets flagged as a terrorist.

You can also create false negatives by padding or otherwise injecting
artificial redundancy. If "xyz" is entropic (doesn't compress, appears
to be encrypted) then just send "xaayaazaa" (where the filler could be
anything and you'll fool anyone who's looking for too much
entropy. So Osama's packets go right through Big Brother's net and no one
even notices that they're encrypted.

So your average data stream already has (or you may hope so) a rather high entropy. And the compression test does not work well.

The entroupy in a compressed data stream isn't as high as you think. Remember that you have additional data at the beginning of the stream (and possibly at the end) that indicates which compression program/algorithm is used.

A good way to add entropy would be to compress the data, then encrypt it, then compress it again, then transmit it. Most decent encryption software tries to compress the plaintext first anyway to reduce redundancies.

I think it's a stupid idea to even toss around the idea of a 'crypto back door'. I can understand why politicians are desperately attempting to dig up the 'silver bullet' that would have stopped the WTC tragedy (and will stop the next horrific event from happening) -- but they're barking up the wrong tree for several reasons.

Making crypto 'safe' with a back door effectively makes it useless. Why would anyone in their right mind use a cryptographic algorithm knowing that a perfect stranger has a 'backdoor pass' to their information? The whole point of crypto is to only allow the intended recipient to view the secret information.

This idea would weaken any cipher that this idea is applied to. Why? Simple. Key recovery in a datastream you haven't ever seen before depends basically on one of 2 things: Brute force, and a little ingenuity. If you know that the cipher has a 'universal backdoor' then each stream encrypted with the cipher will be that much easier to crack -- because the streams will have to be somewhat similar.

What happens when the wrong people get the 'back door' key? You don't think that someone dangerous is going to somehow either recover the key manually, or steal it? Think again. A 'back door' key (or set of keys) of this scope would be too good to pass up. Why bother attempting to recover a key that unlocks one stream, when you can unlock a whole set of streams?

The cat's already out of the bag Why would somebody who really wants to keep information secret use a cipher that didn't keep it secret -- especially when there are so many good ciphers (RC4, Twofish, etc.) that don't have a backdoor?
In short -- this is a braindead thought process that will lead the U.S. straight into another disaster.

RC4 is not considered a "good" cypher by anyone. Its weakness is a lot of the reason WEP was cracked so quickly and thoroughly.

Also, crypto with a back-door would be useful against criminals, just not against governments. For example, you mostly use SSH so hackers can't sniff your packets to get logins and passwords. It's nice to know that governments would be equally hard-put, but that isn't the primary purpose.

Plus, governments have many more resources than 1337 d00dz. They can log your keystrokes, or use other channels (Tempest sheilding, keystroke timing, video cameras). Or they can just bribe your girlfriend. What, you don't have a girlfriend? Beware the next time some blonde bomb comes up to you and just can't get over your coding skills.

I hope more money goes into HUMINT of the latter variety than fruitless reactionary measures like key-escrow. Because I really am patriotic, but I want to be able to have some control over who reads my data.

Simply, that the only way to prove that something was encrypted "legally" would be to automatically break it, all of it, as it passes through various communications channels.

But this is too large of a job for just one person, or a (fiscally feasible) number of people, as much traffic may not pass through a central point. Machines will have to do it automatically, and there will ave to be many o them. Who will make the machines? How will they guarantee that the backdoor isn't released? What if the machines themselves take a walk?

Steganography would be the only way around this, by hiding an encrypted snippet well enough that it doesn't look encrypted. What if someone posts a badly-encoded GIF of their cat on their personal page, and the so-called "Stego detectors" pick it up. Of course, the "message" isn't there. Therefore it can't be decrypted, and they will be flagged as a criminal... scary prospect.

As the technology progresses, only poorly done stego and innocent media would be caught. It's already possible to encode messages to be indecipherable from quantization noise by any theoretically possible system.

The biggest problem with this is what happens to thsoe backdoor keys the government has. I mean first of all, how can we be assured that they can only use the keys with a court order? Furthermore, even if there's a way to assure that, is there any ruling that indicates that's even a requirement. I mean it seems that the fourth amendment might prevent unauthorized access but until a court rules it's hard to say. They could pass a law giving back doors and then alter say that they can access them without court supervision (and the court may or may not support that)

The other problem is that if the government does start accessing things without a court order, how would you know? You could probably develop a crypto system that would leave obvious evidence if it has been accessed through a backdoor, but the government wouldn't want that because it might interfere with an investigation.

Run a honeypot using Linux on Linux and give the government the keys to that. One could furthermore have the overall system (which is still secure) page the owner when the government key is used. Even better, there will be nice logs of anything nasty they tried to do while they were in there. I love the idea of posting one of their "high tech secret" keysniffers all over USENET. The idea of the goverment wanting secret access to my boxen is ludicrous. If all else fails, I can transparently pass all traffic through a box that logs the hell out of any traffic passing through it. If I want to know when they're messing around with my boxen then I will. I will regard the government the same as a script kiddy: something to be monitored and contained.

I imagine the need for monitored and logged physical access is obvious too. The agents will look GREAT on camera when they suspect all of this and try to lay hands on the machines themselves.

The government has already done a lot of research into the area, and pretty much implemented a whole key-escrow system. Nobody used it and as a result it was a flop. To be honest, I don't know how much of the supporting infrastructure was actually deployed.

The basics of Clipper worked like this. The system was based on hardware encryption chips which implemented the protocol. No software versions existed AFAIK for obvious reasons. Each and every chip had a unique ID and "unit key". Each encrypted transmission had a Law Enforcement Access Field (or LEAF) prepended to it. The LEAF consisted primarily of the current session key encrypted with the unit key of the sending chip and it's ID number. I believe the whole LEAF was then encrypted with a single key shared by all chips.

On the law enforcement end, the DoJ was supposed to maintain a database of all the chip ID / unit keys. There was lots of fancy promises made about the security of the database, and how it would be split it two so that two separate agencies would have to cooperate in order to gain access to the database, etc. All very feel good but in the end un-auditable and basically BS since the regulations guaranteed that there would be no penalty for improper access to the keys.

Anyway, the LEAF field in combination with the database allows access to the session key and hence the plaintext of any message.

The whole scheme has so many problems it's not even funny. Not the least of which are: the whole protocol has to be keep top secret. If you know how to generate a legitimate LEAF field, you know how to generate a bogus LEAF field too. An AT&T researcher published a paper about how to get two Clipper chips to talk to each other with bogus LEAF fields. It took a fair amount of trying to get random LEAF's which had valid checksums, but it was quite doable. Presumably, they won't repeat that mistake. Software implementations are pretty much verboten, since they are far too easy to reverse engineer or tamper with. If you are trying to mandate back-doored encryption, you would pretty much just mandate that all encryption be performed using NSA designed and approved chips manufactured by a secure contractor.

As to what stops you from sending random data, one need only imagine the governments response when they detect that you are sending random data. Such random data would be presumed to be illegally encrypted data, and you would be arrested as such. It's quite possible that you would be freed once you had shown that the data was random. In the mean time, your face would be plastered on the front page of the paper as a "suspected terrorist". You might expect to be held without bail due to the extreme danger a suspected terrorist poses to society. The draconian penalties involved will serve to keep people in check, not any technical ability. Look at the penalties handed down for DMCA violations. Then compare the severity of pirating a movie versus flying an airliner into a building. Finally, scale the DMCA penalties accordingly. You can imagine the outcome.

I have a friend who previously worked for a company (I forget the name) that does a sort of chip reverse engineering in the US. Essentially, they are paid to take chips apart and understand how they work in order to check for patent violations. Along the way they can also generate complete design schematics.

Pretty cool technology to be dealing with, but it does show that corporations as well as governments are perfectly capable of taking chips apart.

Simple. It'll become illegal to send random data. How about sending a JPEG of a Jackson Pollock painting? It sure looks like random data. (Pollock's usual method of creating "art" was to cover the floor with canvas, set a ladder in the middle of it, climb up with various colored paint cans, and fling paint.) But since some people will pay large sums for the original, it isn't random data and you could sue for false arrest.

Meanwhile, real terrorists will be sending the communications they need buried in innocuous-looking messages in the clear. Agree on a few code words at a face to face meeting, and then you can make all messages necessary for scheduling and coordination look like ordinary business communications -- e.g., send the target location, date, and time as the time and place for a meeting, an order for "staplers and staples" can refer to guns and ammo,...

Or if they really have to send an incriminating message, there are lots of ways to hide it in an innocuous message. E.g., insert a letter here and a letter there as "misspellings". Flip a few bits in an image or audio file -- if the recipient has an unmodified copy of the file, just do an XOR to recover the hidden message. Or if you want something really sophisticated, hire some underpaid Russian mathematician/programmer.

Or after a decade or two of this sort of sh*t, you'll be able to hire impoverished Americans instead...

If a normal guy like me can come up with these, you know that scary, insidious, Terrorist types are lightyears ahead:

1. Use existing crypto programs or write your own. Anyone with access to a high-level math textbook or a book on encryption and a little bit of coding experience can currently write crypto that is brute-forceable only by supercomputers. The same is true of the existing versions of PGP and other crypto programs available world-wide.

3. Use non government-controlled chanels to transmit data. Sneaker-net, by definition, is uncrackable without a spy in the house. No technology currently allows LEO's to read a CD without first placing it in a drive. This may not be far off, but it's still effective, so far as I know. Also, most phone companies can be persuaded to install 'burglar alarm' circuits that are just non-powered plain copper that between any two given locations.

4. XOR Crypted data in a manner so that if decrypted without first XORing it back, it will decrypt into useless, but not random information. I'm not a coder, but I can imagine that some talented hacker somewhere could come up with a scheme of encoding a crypted message so that it decrypted as Mom's cookie recipe if you didn't decode it properly.

5. For communications in which anonymity is more important than secrecy, use existing file-sharing networks to propogate messages. Freenet is the best example of this.

6. Transmit textual data in non-standard image formats. Ascii text is easy to detect. A compressed PNG of text data would be much more difficult to detect, especially by automated methods. A compressed or reencrypted raw bitmap would be even more difficult to detect. Existing image scanning programs work by scanning for a predertimined signature. Making images of text so that there is no signature possible is fairly easy in photoshop.

We've been hearing about adding crypto back doors for the govement to snoop on us, but how would they work? Would there be one key that could be cracked opening up all such traffic?

If you're talking about public key cryptography or some form of key exchange protocol (such as what happens with PGP, SSL, and the like), then, yes, there'll be more than one key that can decrypt the message. PGP already allows you to encrypt a message to more than one recipient; a simple solution would be to require all software to always encrypt to Uncle Sam's key in addition to the intended recipients.

The other solution is to weaken the encryption algorithm in some way. There are very subtle approaches, but the simplest is to limit the length of the key. A 40-bit key takes half as long to crack with brute force as a 41-bit key, and a 42-bit key takes twice as long again (all else being equal). If you have an application that uses 128-bit keys, it could be ``dumbed down'' to a 40-bit key by forcing all keys to start with 88 zeroes (or some other known pattern).

How to get people to use such software when there's a wealth of reliable strong cryptographic software readily available is left as an exercise to the reader.

Also, how would/does the government know wether a bitstream is random bits, or encrypted data?"

Most encrypted streams have header information to make identifaction easy for the recipient. If you've ever gotten PGP-signed or -encrypted email, you've seen ``BEGIN PGP MESSAGE'' or some such at the top.

You could, of course, remove all such identification. If the encryption method is strong, what remains is provably indistinguishable from pure noise. If the recipient adds the identifaction back--if she puts ``BEGIN PGP MESSAGE'' before the bits--the result can be fed to the decryption proces without trouble.

But how many people send random bitstreams to each other? Somebody doing so would stand out like a sore thumb against the usual traffic of ASCII.

The most commonly accepted solution is steganography, the art of hiding secrets in plain sight. ``All the twenty clever kings'' could mean ``attack'' if you were to just look at the first letter of every word. Common modern methods of steganography include encoding the message in the low-order bits of a JPEG, but the field is still young and many techniques a bit crude. If ``they'' are already looking at you, ``they'' will have a good chance of finding the message.

As always, Bruce Scnhier's Applied Cryptography is a wonderful resource.

"...how would/does the government know wether a bitstream is random bits, or encrypted data?"

Audio data looks random. MP3 data looks random. What's to stop someone from recording an analogue message in the high or low frequency range of a music recording, then bladeenc it to mp3 and transmit it in the clear? Still looks random.

too much time is being spent thinking about the technical aspects of enforcement and use of 'backdoors'. what everyone's failing to realize is that the technical aspects of crypto laws are irrelevent. it's how they will be used htat's important. if any cyrpto laws are passed, they'll be used in prosecution and trial rather than proactively enforced.

picture this scenario: you are a criminal who has been sending encrypted mesages to someone else. you're busted, and on trial you are asked to decrypt the messages. you refuse. you are then thrown in jail for not complying with the crypto laws.

again, i'm not a lawyer, but it seems that if crypto laws will work in this manner, we are throwing away our 5th ammendment right to refuse to incriminate ourself.

It's my primitive understanding of the court system that during a trial, the records of phone calls may be entered into evidence. This is not the actual content of the call, and who made the calls is not part of the evidence. Just the fact that one telephone called another telephone.

Why then must the Feds know what is in a message? If the fact of tranmission of a message is adequate, at least in the courts, then why does the content need to be known?

Also, why does the Government beleive that it should have the right to be a party to all conversations? If the Feds had a time machine, and could travel back in time and listen in on any conversation, I beleive that would be ruled an invasion of privacy. How then is decrypting a message any different?

This is a long post (for me)... It basically contains the majority of a letter that I sent to my representative and senators... It basically states a number of reasons that I think this proposal is inoperable. I encourage all of you to contact your elected representatives as well.

Adam/Zwack

As I feared when I first saw the attack on the World Trade Center, it has been reported (http://www.wired.com/news/politics/0,1283,46816,0 0.html) that "Sen. Judd Gregg (R-New Hampshire) called for a global prohibition on encryption products without back doors for government surveillance."

Media reports have made it appear that Osama Bin Laden may have used encryption, but it is more likely that he relied on a lack of technology. According to the media, Bin Laden held face-to-face meetings in a private room rather than trusting that the communications channel was not intercepted. One journalist who has met him had some newspapers with him and Bin Laden is reported to have pounced on them and read them as he was so out of touch with the outside world.

Even if there is a ban on encryption products, older encryption products already exist without those back doors. Writing encryption software is not too complicated (Applied Cryptography is about $40) and terrorists and criminals are not going to worry about breaking yet another law. So who would this effect? Criminals? No. Terrorists? No. Penry, The Mild Mannered Janitor? Could Be.

Anyone can do a little research and find out that there are other techniques that cannot be legislated against that are just as effective for secret communications.

Ronald Rivest, one of America's foremost cryptographers published a paper in 1998 called "Chaffing and Winnowing: Confidentiality without Encryption." (http://theory.lcs.mit.edu/~rivest/chaffing.txt) In it he describes a method for plain text communication which does not rely on encryption to hide the message. He then goes on to add more twists to the method, which mean that if someone demanded the actual message you could give them a completely false, and presumably inoffensive, message.

If that wasn't enough to make legislation on encryption pointless, then steganography, the practice of hiding one message inside another, could be used either independently or with "Chaffing and Winnowing". It is possible for messages to be hidden within pictures, movies, sound files and even Stream of Consciousness-like poems easily. The sophistication of some of the programs is astounding. One program (http://www.outguess.org/) actually performs a statistical analysis on the image first to ensure that in hiding the message it does not modify the image too much.

There are numerous other non-technological techniques that could make this law pointless. For example, the terrorists could choose a book, say Hamlet, and spell out their message with the words or letters in that book. A message like "42 23 17 65" is not going to mean much to anyone until they know that in a specific edition of a specific book they should read the twenty third word on page 42, the 65th word on page seventeen... and so on.

They could use a simple code where phrases mean certain things. So "I went to see the new production of Oscar Wilde's Importance of Being Earnest" might mean "The birthday cake arrives tomorrow". As long as only the parties involved know the code phrases, and their meanings this kind of communication is impossible to break.

If encryption software without back doors is outlawed, what will terrorists do? If they're paranoid they'll use illegal encryption to encrypt a code phrase, hide it in an image, and then mix it with several completely innocent, and some totally random streams using chaffing techniques.

That way, by the time the NSA have worked out which streams contain real messages, figured out that one or more of the images contains a steganographically hidden message and broken the encryption on it, they will have wasted weeks in order to get a perfectly normal sentence that isn't going to mean anything to them anyway.

In that same period of time, several companies who are obeying the law and not using encryption will have had their company secrets stolen by other companies, as they couldn't encrypt confidential messages between two of their office. The French Secret Service was known to pass trade secrets to French companies when the French government was strictly controlling encryption. Add to that the many completely innocent uses of encryption for security and confidentiality: communicating with banks, logging on to remote servers, protecting medical records, implementing Virtual Private Networks and so on. Banning encryption that the government can't decode is more likely to cause harm to the law abiding citizen than it is to stop or reduce terrorist or criminal activities.

In short, any attempt to regulate the free flow of ideas, whether encrypted or unencrypted is only going to hinder law abiding citizens, and effectively punish them, without providing any additional safety. Remember that these highjackings were very low tech, no computers were hacked, no high technology weapons were used, just people armed with knives and the willingness to die.

Key Escrow, where some percentage of the private key is registered with the Govt.

Synonyms (which requires weak algorithms), where a third "key" is generated, which is different from, but functionally identical to, the private key. One way to do this is to fix certain bits. This was accidently done in some early SSL implementations for Netscape.

DH duplicates, where key exchanges are automatically forwarded by the hardware and/or software.

"Skeleton Keys", where the hardware logs the keys used, and transmits them on request.

The way key escrow systems work is the decryption key is encrypted using a new randomly generated key. (This can be repeated for keys to be escrowed with more than two entities.) The new key(s) and the encrypted decryption key are then sent to different escrow agents. Since both the encrypted key and the key(s) used to encrypt it are required to recover the decryption key and decode messages, it requires the cooperation of all the escrow agents to gain such access.

All that is left is a method of preventing people from using key sets that haven't been escrowed; this can be done by designing cryptographic hardware to only use keys that have been digitally signed by the authority that generated the escrow keys.

Note that when using a general-purpose computer to perform encryption and decryption, there is no easy way to prevent people from using unescrowed keys. Software designed to check for such things can always be patched and disabled.

I'm sure echelon can handle ROT13, but can it handle ROT14. One problem is a minor change in the encryption formula can make the governments efforts futile. Rotate the bits right, rotate them left, invert them, invert the high 4, rotate the low 4, there's lots of combinations. Even if they programmed all the different variations in, it would take a bit of time to process a single e-mail.

What about encryption formulas created in other countries? Didn't we just get past the point where we can export basic encryption. Are they going to ban importing (maybe they already did, I don't know).

I don't know the answers, unfortunately, neither does the government, but they're gonna pass some laws anyways.

It's easy enough to defeat the backdoor. Double encrypt your message. Once with software that the government does not have a key for and again with the approved method. This way any message that you send will look like gibberish when decrypted with the government key. This will have the added benefit of foiling sniffers that route messages encrypted by un-approved methods to an agency that sorts through them.

The root of this problem is that it can never, EVER work. Mainly because we have freedom of speech, they government can pass as many laws as it likes on legal encryption but they can't enforce them. Think of the civil-disobedient potenial. You could get thousand of people to send random encrypted gibberish to one another. Just because the government can't understand it doesn't make it illegal, what's the difference between that and encrypted meaningful information. The answer is none. This is all simply a case of communicating in a language that the government doesn't understand... all well within our rights.

I have no idea if this is how the usual "key escrow" proposals work, but
here is a way to do it:

The software generates a random session key, and block-encrypts the
plaintext with it. Then it stores two copies of this session key along
with the ciphertext. One copy of the key is encrypted with the user's
secret key. The other copy is encrypted with the Big Brother's public
key.

The decrypt the message, a "normal" user, who knows the user's secret
key, uses that to get the session key, and uses the session key to get
the plaintext. If Big Brother wants to read the message, he uses his private
key to decrypt the other copy of the session key, and reads
the plaintext that way.

#1 "Key Escrow" - All your keys are simply registered with big brother. To reduce the logistical nightmare, you would likely just register special backdoor keys used to encrypt the session key, which would then be included with the message.

#2 Big brother publishes one or more public keys, to be used to encrypt each session key, which is then included with each message.

The BXA/NSA guidelines for getting permission to export strong crypto include full disclosure on your data formatting, headers, compression, etc. The review process includes submission and approval of test vectors.

It should be noted that once these are required by law, compliance testing could be automated by building systems holding the private keys and testing recovery on live data.

It should also be noted that since (1) no terrorists would use such software; and (2) terrorists are already using steganography to obscure their encrypted data from trivial recognition as ciphertext: This entire effort will have ZERO impact on real terrorism. Its just an attempt by the NSA/FBI to retain their historical ability to eavesdrop trivially on all ordinary civilians everywhere without warrants or oversight. Last weeks events were just the pretext they've been waiting for. Anyone telling you different is ignorant or has an agenda...

Baiscally, the method the crypto backdoors work is by putting a known, designed-in weakness into the algorithm. For example, it could leak key bits into the encrypted stream. The goverment could then pick the keybits back out of the stream and use them to either directly decrypt the data, or use it to simplify a brute forcing ("OK, we know what a 112 bits of the 128 bit key are- know all we need to do is brute force the last 16.")

There is an obvious problems with this from the cryptological angle- the encryption algorithm has to remain secret. Once you figure out the encryption scheme, and notice where the key information is being leaked, you too can take advantage of the back door. It's the classic problem with master keys- once they get out and get duplicated, it quickly becomes worthless to have the locks. So not only do you not dare publish the algorithm, you do not dare let anyone reverse engineer it.

I saw a presentation from a Dr. David Fu with the NSA and he talked (he had to get approval from his boss on the outline) about how one would look at a stream of data (radio pickup) and using statistic info, detect if this fits into the idea of "random" of if it falls into the other category. I would assume that real approaches use something beyond the simple math that was presented to our undergraduate minds, but I know it sure made me think. I didn't take notes at the time, but those of you in colleges and/or cool schools, contact the NSA and see if they might have a PR team, or a person working there who is a graduate of your institution who might want to come back and give a little talk.

There is good reason to suspect that Osama bin Laden has used encryption while discussing plans for terrorism. This has prompted USA to consider laws to regulate encryption, so that the USA can always listen to such discussions.

There is even more reason to suspect that Osama bin Laden has been eating olives while discussing plans for terrorism. Therefore it would be much more effective to mandate all olive stones to carry a hidden microphone that would record and broadcast all discussions taking place in its vicinity, easily catchin the political opponents - I mean terrorists.

Some would say that it would be extremely difficult to make sure that every olive would carry its microphone. All it would take is an international treaty mandating microphones to be installed in all prepackaged olives, and outlawing any home production. Then some powerful international orgization - or the US government - could go out and bomb all olive producers who do not comply with the microphone directive. Soon nobody would dare to produce rogue olives!

Although this may sound like a totally unrealistic plan, it is many ways more likely to succeed than any plan limiting the use of encryption. For the first, olives, small as they are, are physical items that will have to be grown somewhere, pickled and processed, and marketed. All this leaves a physical trail of physical olives moving around. On the other hand, cryptographic tools are ethereal words, easily transmitted by whisper, by graffiti, and other totally intraceable means. Besides, most of them are already published in books all around the world! And once an olive is eaten, the stone is discarded, and a new olive must be acquired, hopefully from a compliant source. Not so with crypto tools, they can be used over and over again, so if the foreign competition - I mean the terrorists - have already managed to gain access to some crypto tools, they can keep using them for ever.

Besides, by betting its reputation on microphoning all olives, the US Government would make itself much less of a laughing stock than if they tried launch a campaign to limit the disucussion and use of encryption!

If any backdoor or escrow scheme is to be acceptable for the rest of the world, it must make sure that foreign governments have access to any and all encrypted communications used by US agencies suspected of industial espionage.

So far the discussion seems to center on PGP and email. That's a bunch of bunk, because in addition to everything that everyone else has mentioned, there are several other routes around a crypto-Carnivore.

1: Move to a different port: Conventionally, email is on port 25. Set up some email servers on some other port, and the content will sail right past Carnivore.

2: Use a different channel, and don't forget that other encrypted channels have their own algorithms.

2a: Use a different channel: Move files around with scp or sftp. Once again, doesn't register as email.

2b: Use a different channel. Use secure websites as intermediaries. When the lock closes in the lower-left corner, it's safe to type your credit card number. It's also safe to communicate other information. Either extra fields can be added, or existing fields can be used. It may even be possible to use innocent eCommerce sites, assuming you've already cracked them.

3: USB keyring hardfiles: Since these alternate channels don't leave encrypted files on the box, put the file on a USB keyring hardfile. Unplug from the system, and keep it on your keyring. If the G-men are after you, you have several options:
a: Take a hammer to it.
b: Scuff your feet, comb your hair, and zap it. They no doubt have ESD protection, but it's probably only good against accidents, not deliberately destructive ESD.
c: Throw it into the traffic.
d: Encrypt it using yet another algorithm - tcfs?

So aside from any other concerns, simply doing something to PGP clearly is not sufficient. You'd need to also weaken https: and SSH, and sniff a LOT more traffic.

But if SSH is given a back door, and we MUST assume that some black-hats or terrorists have recovered it, then how the heck to we do secure administration? We've just opened every remote-admin system to info-terrorism, as well as our eCommerce.

Between weakened/broken encryption and key escrow, I'd choose the latter every time. Both are silly, and would only convey a false sense of security. If it's that serious, I'd think simple traffic analysis would be more informative.

Imagine that A-crowd guy in high school or college you never liked, and always gave you a rough time. Then go through anonymizers, and start sending him encrypted datastreams. Fun, fun, fun.

Some conspiracy theorists already claim that DES has a backdoor, even though there is no public evidence to support the theory and lots to suggest otherwise.

When DES was invented (by IBM, IIRC) and the government wanted to adopt it as a standard, the NSA took a look at it and changed around the S-boxes (where S, I believe, is for Substitution) for the version that is actually used. They offered no description of how they created their S-boxes or what features they offered that the other ones didn't, etc.

One possible explanation is that the NSA added a backdoor into DES that secretly weakened it some how (e.g., the ciphertext provides information about the key to make an exhaustive key search several orders of magnitude quicker) to the point where they could decrypt a document without necessarily knowing the key ahead of time with a reasonable amount of effort.

There is no public information about successful cryptanalysis of a full (16 round?) version of DES. That is, if such a backdoor exists, and if someone has found it, it's all very hush hush.

The concept of backdoors in cryptosystems is really very messy. It depends way too much on keeping crucial information about the cryptosystem secret. Chances are, if you disclose enough details to implement a cryptosystem and say it has a backdoor, people (good and bad) are going to find it*. If you don't provide information on how it works, it can really only be implemented in "tamper-proof hardware" (a concept almost as flakey as cryptosystems with backdoors), since any software implementation could be disassembled.

To answer your second question, they really can't (as I assume you suspected). So, if the sniffers found some data they couldn't decrypt, they would have to assume it is either, as you said, random data, or data encrypted with an outlawed (read "aparently secure") cryptosystem. In both cases, the sender must be trying to hide something from the government, and is therefore a threat and should be dealt with accordingly. Simple as that.

For anyone who missed it, the current call is for a global ban on strong crypto, not a national one. And in this case "global" means really global, not a "World Series" kind of global.

The next few weeks/months/years will potentially be filled with events and ideas, like this, that change the world we live in. I'm not afraid for our generation. Most of us know what freedom is like, and I really don't think it's something that can be taken away no matter how hard they try. But our unborn children and grandchildren don't. I don't want them living in a world where freedom and privacy are anything other than fundamental rights. I'm currently optimistic; I just hope that's not misplaced.

* And if DES does have a backdoor and no one has found it, then the NSA deserves a pat on the back because they've stumped us all!:)

I explained this to someone else today when asked why I am staunchly against a backdoor/etc in a crypto program.

A good crypto program is based on a function f[x] such that f[x1] = k, and you cannot find x1 if you know the function f[x] and the encrypted k. This, folks, is hardcore advanced mathematics!

To add in a regulation that there be some "backdoor" (eg: some function that will always take g[k] = x1 for an encrypted value k). Once that function g[x] is known by anyone (f[x] would have to be made in a way such that g[x] must exist btw.. it doesnt just happen) then the communications of everyone that uses that encryption algorithm is compromised.

Think of the problems -- no secure transactions (haulting "e-business"), no secure transmissions of trade secrets (look at france -- the companies just moved to a different country), and generally no information is secure.

This is my way of explaining to non-geeks why crypto regulations will have near-zero effect:

Imagine that somebody comes up with a way to build a bomb using sugar cookies. A building is blown up. Congress decides to regulate the sale of sugar cookies.

Now any sane person will realize that this is pointless, because any idiot can make their own sugar cookies, and bypass all the regulations. So the regulations can only work if the ingredients are also regulated or banned (flour, sugar, eggs), or perhaps all the sugar cookie recipes are destroyed.

At this point it's pretty obvious that such a scheme would never work. But somehow nobody seems to follow this logic when it comes to encryption. The only ingredients for encryption are general-purpose computers. The recipes are encryption algorithms and computer source code. The recipes can be rediscovered or recreated by smart mathematicians and computer programmers.

So what are we going to do? Regulate computers? Mathematics? Encryption algorithms, dozens of which are published in textbooks around the world?

You could no more regulate computers, mathematics, and algorithms today than you could flour, sugar, eggs, and sugar-cookie recipes. Even if you tried, it would have near-zero effect on the bad guys, and would only increase the risk that grandma's bank account gets emptied, because her password wasn't properly encrypted.

Putting a crypto backdoor in a piece of software is fairly trivial. There is quite a lot of litterature about it and inserting a backdoor in say SSL is a very good exercise for students.

Companies which take security seriously don't use windows for this reason and I doubt that any intelligence service would ever use any piece of software that has been created in an country other than its own. So how can one possibly imagine that "bad guys" would used backdoored softwares. They'll rewrite one of their own, that's all. Implementing a RC4 is a matter of hours...

People have to realize that the Internet sets information free. Any kind of information. From anyone. To anyone. And there is nothing you can do against this.

It is impossible to prevent terrorists from using strong cryptography.
Terrorists already use it and would continue to do so if it were
illegal. However, if it were illegal, the number of
messages that would be unreadable by law-enforcement personnel would
be vastly reduced. Any remaining unreadable messages would provide
strong evidence that the senders, and perhaps the intended recipients,
are involved in some form of illegal activity, at the very least the
illegal activity of using unapproved strong cryptography.

Thus the primary purpose of the proposed legislation is not to
allow law-enforcement personnel to read terrorists' communications --
terrorists will continue to use unreadable, strong cryptography -- but
rather to narrow the search space that law-enforcement personnel must
examine when hunting for suspected criminals. One would presume that
if a person were discovered to have used unapproved cryptography, such
evidence alone would be sufficient to obtain warrants for full
searches, wire-tapping, keyboard recording, and the like, and those
additional measures would likely yield hard evidence of any additional
illegal activities. Thus it is not necessary to decrypt the
criminals' messages: The illegally encrypted messages alone are
sufficient to reveal suspects, and then old-fashioned
investigative methods are likely to be effective.

Of course, the effectiveness of this law-enforcement technique
depends on having a practical and enforceable definition of
"unapproved cryptography". The problem for law-enforcement personnel
-- and law-abiding citizens who wish to protect their legitimate
secrets -- thus becomes determining what constitutes an illegally
encrypted message. It is well known that a message that has been
encrypted with a one-time-pad cannot be distinguished from a string of
random bits. Should the government also make access to true
randomness illegal so that any string of bits that seems sufficiently
random can be assumed to be an illegally encrypted message? Further,
is it realistic to believe that covert channels and steganography are
detectable?

If not, how will law-enforcement personnel detect illegally
encrypted messages? And what if they can't? In that case, what
real security have we citizens purchased by sacrificing our liberties?

Those are the questions I want my government to answer. Until they
are answered -- and hard evidence provided to support the
answers -- I must remain sceptical.

Just ask McGlen.com - they informed me yesterday that 'an unidentified individual
gained access to certain protected files maintained by Mcglen.com
through a security breach in Microsoft Internet Information Server.' and thus may have my credit card # - how comforting. Funny that they don't also take some of the blame for not keeping their servers patched current. Course serves me right for ordering from a site that uses IIS:) Cept, well, it wasn't me - it was my wife:)

This changes drastically if low-end crypto, even backdoored crypto, becomes used routinely for email traffic.

There are two reasons for this: First, it takes a significant amount of CPU time to break and decode an encrypted message, even if you have retrieved the key from the escrow agents. Decoding the traffic to and from a few selected email accounts is one thing, but having a system decoding and monitoring routine traffic is another matter entirely.

The second reason is that, if you take a message that's been encrypted using a military-grade cryptosystem, and then encrypt those results with a weak system (such as DES-40), it is impossible to tell that message apart from a routine message only encrypted with a weak system without decrypting both. In other words, there is no way to casually monitor lightly encrypted message traffic and pick out the people using unlawful encryption.

As a result, if weak encryption becomes common, people who wish to keep their messages secure can do so without tipping off the law. It is only if you are already suspect that your use of high-grade encryption would be discovered.

But the crooks could still write their own crypto software and then run it through the crypto chip. Then when Johnny Law decodes the bitstream, he gets another bitstream that is indistinguishable from noise.

The government has a choice. Have crypto be available to law abiding and the crooks or to have the crypto available to only the crooks. As you can see, the crooks will always have crypto available to them.

The government cannot even stop someone from bringing cocaine into the country, how the hell are they going to stop a crypto program from spreading?

"Keep in mind that the bastards who attacked us last week were willing to (A) die and (B) train for years to be pilots."

This is one of the most important points. You can't fight this sort fanaticism. There is nothing you can do that is bad enough or hard enough to deter such people. They're willing to die, and going out fighting is the best possible way -- it makes them martyrs.

I will point out that they needed a LOT less money than everyone seems to think. It took me about $4500 to get my basic pilot's license. A copy of FlightSim was another $80 or so. The hardest part of flying a 737 is getting it on the ground in one piece. The second-hardest part is getting it in the air. Everything else is basically "point the nose where you want it to go".

I suspect a couple of them went to flight school to learn about things like transponders (which they shut off), basic radio navigation and the special radio codes used to notify the ground you've been hijacked without actually having to say it out loud.

You really didn't need radio navigation to find the WTC. From inland US, you could just go east until you reached the ocean, then turn left. The buildings were visible (if you were a couple miles up) from more than 30 miles away.

So that this isn't completely OT, see this article [theregister.co.uk] in The Register [theregister.co.uk]. It seems bin Laden isn't using any technology now, and the Feds have no idea where he even is. They still want those back doors in crypto, and they have to push now before people start thinking a bit.

Haven't you ever seen the movies.. the sky is pink.. it is a beautiful day to die.. but the birds are singing.. yet the clouds are gray.. sure it means nothing in an email, but if you have some secret "decoder ring" then these sentances can have new meanings.. meanwhile the FBI, CIA are all wondering why Akmed is talking about the F**k*** sky...

I remember hearing that in WWII they used other languages, like some american indian language to do encryption..